Whose responsibility is cloud security anyway?
The question of whether not moving to the cloud is beneficial for security has largely been answered with a resounding "yes," which is why organizations are increasingly relying on cloud-based technology and services for business operation.
A more nuanced conversation, however, lies around the question of whose responsibility cloud security is, ultimately.
The answer to this question is complicated by the fact that the cloud supply chain includes not just the customer and the cloud service provider, but potentially a variety of third parties in the form of infrastructure service providers, system integrators, and other partners.
To pinpoint where responsibility for security lies, it’s imperative that enterprises delve into the risks and weaknesses in their extended cloud supply chain and then develop a responsibility matrix to mitigate those risks.
Adopting this best practice approach to security, governance, and compliance is increasingly the only way for organizations who traffic in sensitive and confidential data -- from law firms to financial services and other enterprises who engage in knowledge work -- to ensure their information is protected at the highest levels.
Roles and Responsibilities
The first step is to figure out which part of "cloud security" the service provider is responsible for and which parts the consumer of those services has responsibility to look after.
Generally speaking, the customer -- the consumer of the cloud service -- is responsible for determining which end users are allowed access into the service, and they typically achieve this aim via identity and access management solutions.
Meanwhile, the actual physical infrastructure that the data is hosted on will become a vendor responsibility: not just the servers themselves, but the security controls around access to those physical devices. For example, is just anyone allowed to wander into the datacenter, or is access carefully controlled and restricted to a highly vetted list? This part of the matrix is squarely in the hands of the vendor.
Given the large amount of responsibility that rests with the vendor, customers will want to ensure that the cloud service provider is using not just a zero trust model, but a zero touch one.
The zero trust framework challenges the idea of trust in any form, whether that’s trust of networks, trust between host and applications, or even trust of super users or administrators. This framework only works properly, though, if zero touch is at the heart of it, and human vulnerabilities have largely been removed through automation.
Working with service providers that have implemented a zero touch model clarifies key parts of the shared responsibility model because it provides assurance that the vendor has no technical means to access customer data. In other words, it provides certainty that that portion of the responsibility matrix is as airtight as possible.
Kicking the Tires
As part of risk mitigation, customers are advised to kick the tires not just on the cloud service itself, but on the actual company that they're going to be partnering with.
How mature are they as an organization? How mature, specifically, is their security and compliance function? Do they have certifications in place that demonstrate their adherence to globally recognized security and data protection frameworks like ISO 27001, ISO 22301, and SOC 2?
Another important question is whether they have outsourced various responsibilities for their cloud service to other third party service providers -- and whether you, as a customer, have good visibility into those arrangements.
After all, it’s all fine and well if the cloud vendor you signed up to do business with ticks all the right boxes as far as maturity level and certifications, but if they’re outsourcing key parts of the process to organizations that don’t meet those criteria, it’s quite a different story.
Beyond gaining clarity on the extended supply chain, it’s also important for customers to do some due diligence on the cloud vendor as a whole. For example, do they run next-generation antivirus or intrusion detection? How do they protect their corporate endpoints?
These areas may have nothing to do with the delivery of their cloud offering, but they tell you a lot about the organization and their operations in general. Customers want to know that any information they share with the vendor -- a project proposal with details that are deemed confidential, for instance -- is secure, not just the data they’ll be storing in the cloud services they’re going to be purchasing from the vendor.
No Weak Links
Ultimately, security in the cloud is a shared undertaking amongst an ecosystem of participants including the customer, the cloud provider, and the extended supply chain. Like any chain, this interconnected arrangement is only as strong as its weakest link -- and a weakness or dereliction of duty in any one area or by any one party can result in sensitive and privileged data becoming compromised.
By coming up with a clearly defined responsibility matrix -- and by doing a deep dive on those parties who are responsible for the various aspects of the matrix -- enterprises can ensure a robust approach to shared responsibility for cloud security. In doing so, they can gain all the benefits of the cloud for their business operations, without any tradeoffs or compromises.
Martin Ward is Director of Security, Governance, and Compliance, iManage